framing: check for overflow on growing buffer

newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. Closes #2300

framing: check for overflow on growing buffer
newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. Closes #2300
684c7377 · Clément Bœsch · 0bbcba4e · 684c7377
Commit 684c7377 authored Aug 05, 2020 by Clément Bœsch
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

src/framing.c src/framing.c +6 -1

No files found.
--- a/src/framing.c
+++ b/src/framing.c
@@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){

  if(size>oy->storage-oy->fill){
    /* We need to extend the internal buffer */
-    long newsize=size+oy->fill+4096; /* an extra page to be nice */
+    long newsize;
    void *ret;

+    if(size>INT_MAX-4096-oy->fill){
+      ogg_sync_clear(oy);
+      return NULL;
+    }
+    newsize=size+oy->fill+4096; /* an extra page to be nice */
    if(oy->data)
      ret=_ogg_realloc(oy->data,newsize);
    else